The Kubernetes API server should validate that the service account token exists in etcd
Set up the kubernetes integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
Service accounts should be validated before validating the token. If --service-account-lookup
is not enabled, the API server only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This enables you to use a service account token even after the corresponding service account is deleted.
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter. --service-account-lookup=true
NOTE: Alternatively, you can delete the --service-account-lookup
parameter from this file so that the default takes effect.